qReflector Learning Hub
Readiness Module · 3-5 minutes

What is a CBOM?

A CBOM shows what cryptography a system depends on.

Where is cryptography used?Who owns it?Which parts may become risky?What should be reviewed first?

A CBOM is useful when it supports decisions.

It is weak when it is only a technical export that nobody can act on.

30-Second Scan
What does CBOM mean?
Cryptography Bill of Materials.
What does it describe?
Algorithms, protocols, certificates, keys, libraries, systems, vendors, owners, and risk context.
Why does it matter for PQC?
You cannot plan post-quantum migration if you do not know where vulnerable cryptography is used.
Is it the same as an SBOM?
No. An SBOM focuses on software components. A CBOM focuses on cryptographic components and usage.
Is there a format?
CycloneDX has explicit CBOM support. SPDX is mainly useful as SBOM context.
What should it support?
Risk review, vendor questions, migration planning, audit, and crypto-agility.

The Page in One Picture

1

Discover

Find cryptography in systems, traffic, certificates, source code, vendors, products, and configurations.

2

Organise

Connect findings to systems, owners, business use, data lifetime, vendors, and risk.

3

Structure

Create a CBOM: a structured record of cryptographic components and dependencies.

4

Decide

Prioritise what needs review, vendor follow-up, testing, replacement, or migration.

find it → organise it → structure it → act on it

What a CBOM Is

A structured record

A CBOM records cryptographic information in a way that can be reviewed, shared, updated, and used for planning.

systemsapplicationsproductsprotocolsalgorithmscertificateskeyslibrariesownersvendorsbusiness usedata lifetimerisk levelmigration priority

The exact format matters less than the quality of the information.

A clean file with poor context is not a good CBOM.

Not just a certificate scan

Certificate scans are useful, but they are only one view.

A company also needs to understand cryptography in:

  • internal services
  • VPNs
  • identity systems
  • cloud platforms
  • software updates
  • code signing
  • embedded devices
  • network appliances
  • vendor products
  • long-term archives

For PQC readiness, the hidden parts often matter most.

How to Picture It — What a CBOM Connects
1

Business context

What system is this?What data does it protect?How important is it?
2

Cryptographic use

TLSVPNPKIdigital signatureencryption at restkey exchange
3

Technical detail

RSA / ECC / AES / SHAprotocolcertificatekey sizelibraryversion
4

Ownership

system ownertechnical ownervendor ownercontract owner
5

Decision

monitorask vendortest upgradeprioritise migrationaccept temporarily

system → cryptography → owner → risk → action

The Useful Mental Model

CBOM is not the first step.

It usually comes after discovery work.

StepWhat It DoesOutput
Crypto discoveryFinds where cryptography is used.Raw findings.
Cryptographic inventoryOrganises findings by system, owner, vendor, and risk.Operational view.
CBOMStructures cryptographic components and dependencies.Shareable record.
Readiness planningDecides what to review or change first.Roadmap and actions.

Discovery finds it.

Inventory makes it understandable.

CBOM makes it structured.

Readiness work makes it actionable.

Example CBOM Record

System

Customer portal

Business use

Customer login and account access

Cryptographic use

TLS certificate and key exchange

Protocol

TLS

Algorithms

ECDSA certificate; ECDHE key exchange; AES symmetric encryption

Owner

Web platform team

Vendor

External hosting provider

Data protected

Customer account data

Data lifetime

Medium to long

PQC relevance

Public-key cryptography used for identity and key exchange

Migration concern

Certificate and TLS stack controlled partly by vendor

Priority

Review vendor roadmap and test supported options

This is a simplified example.

The important point is not the exact format.

The important point is the connection between technical detail and a decision.

Advanced Reader Note — CycloneDX and SPDX

CycloneDX is relevant because it has explicit support for CBOM-style information.

CycloneDX

In simple terms, it can represent cryptographic assets such as:

algorithmscertificateskeysprotocolscryptographic materialrelationships to components and services

This matters when a CBOM needs to become machine-readable and tool-supported.

Practical starting point

But a company does not need a perfect CycloneDX CBOM on day one.

For many organisations, the practical starting point is still:

discover cryptographybuild an inventoryconnect findings to owners and vendorsprioritise risk

SPDX

SPDX is important in software supply-chain work and SBOM discussions.

For this page, it should be treated as SBOM context, not as the main CBOM answer.

CycloneDX

BOM standard with explicit CBOM capability.

Main CBOM format reference.
SPDX

SBOM and software supply-chain metadata.

Useful SBOM context.
Spreadsheet / internal register

Early practical inventory work.

Useful starting point, not mature automation.

Good CBOM vs Weak CBOM

Good CBOM

Connects cryptography to real systems.

Shows owners and vendors.

Includes evidence source.

Supports prioritisation.

Can be updated over time.

Helps ask better vendor questions.

Can move towards machine-readable structure.

Supports migration planning.

Weak CBOM

Lists algorithms without context.

Has no clear owner.

Gives unexplained findings.

Treats all findings as equal.

Is a one-off PDF.

Accepts vague “quantum-safe” claims.

Cannot be reused or automated.

Does not lead to action.

Why CBOM Matters for PQC

Post-quantum migration is not only about choosing new algorithms.

It is also about finding where old cryptographic assumptions are built into systems.

PQC-Relevant Areas

RSA certificatesECDSA signaturesECDH key exchangeDiffie-Hellman key exchangePKI systemsTLS configurationsVPN platformscode-signing systemsidentity platformsfirmware and embedded productsvendor-controlled cryptography

A CBOM helps these areas become visible.

Without that visibility, a company may only fix the obvious parts and miss the difficult ones.

Vendor Questions

A CBOM helps procurement, compliance, and security teams ask better supplier questions.

Weak question Are you quantum-safe?

Better Questions

  1. Can you provide cryptographic inventory or CBOM information?
  2. Which public-key algorithms are used in this product?
  3. Where do you use RSA, Diffie-Hellman, ECDH, ECDSA, or other elliptic-curve methods?
  4. Which cryptographic functions are configurable?
  5. Which are hardcoded?
  6. Do you have a post-quantum migration roadmap?
  7. Will you support hybrid or post-quantum options where relevant?
  8. What evidence can you provide?
  9. What is outside the scope of your roadmap?

That question is too broad.

It invites a vague answer.

A better question asks for evidence, scope, and a roadmap.

Common Misunderstandings

“A CBOM is just a list of algorithms.”

No.

A useful CBOM connects algorithms to systems, owners, vendors, certificates, protocols, business use, and risk.

An algorithm name without context is not enough.

“If we generate a CycloneDX CBOM, we are ready for PQC.”

No.

A CycloneDX CBOM can be a strong way to represent cryptographic information.

But readiness still needs:

  • good discovery
  • current evidence
  • risk review
  • ownership
  • vendor follow-up
  • testing
  • migration planning
  • change management
  • crypto-agility

A format can support the work.

It cannot replace the work.

Decision Box

When Is a CBOM Useful?

A CBOM is useful when it helps answer at least one of these questions:

  1. What cryptography do we use?
  2. Where is it used?
  3. Who owns it?
  4. Which vendor controls it?
  5. Which parts may be exposed to quantum risk?
  6. Which systems are difficult to change?
  7. What should we review first?
  8. Can we keep this information updated?

If it cannot help answer these questions, it is probably just documentation.

What to Remember

One-Sentence Summary

A CBOM turns hidden cryptography into structured information that can support risk, vendor, and migration decisions.

Three Key Points

  • A CBOM must connect cryptography to real systems and owners.
  • CycloneDX is relevant because it supports CBOM-style machine-readable representation, but the format is not the whole strategy.
  • For PQC readiness, a CBOM is not the finish line. It is a visibility layer that supports better decisions.

Related Concepts

Readiness and Migration

What is a Cryptographic Inventory?

Learn what a cryptographic inventory is, how it differs from crypto discovery and CBOM, and why it matters for post-quantum readiness.
Readiness and Migration

CBOM vs SBOM: What is the Difference?

Learn how CBOM relates to SBOM, why software inventory does not automatically show cryptographic exposure, and how both can support post-quantum readiness.
Readiness and Migration

What is Crypto-Agility?

Learn what crypto-agility means, why hardcoded cryptography creates migration risk, and how crypto-agile systems support post-quantum readiness.
Role Paths

PQC for Compliance and Procurement

A practical guide for compliance and procurement teams on post-quantum readiness: supplier questions, CBOM, SBOM, vendor evidence, roadmap tracking, and contract expectations.
Recommended next concept

CBOM vs SBOM: What is the Difference?

CBOM extends bill-of-materials thinking from software components to…

Continue

Verified Sources

Official standard

CycloneDX Cryptographic Bill of Materials (CBOM)

OWASP